4 Facts About Operation Emmental

Could Malware Campaign Spread to U.S. and U.K.?
4 Facts About Operation Emmental

Malware tied to the Operation Emmental attacks that have plagued bank customers in Switzerland and three other nations first surfaced in 2013. But variants of the malicious code only recently gained the ability to bypass SMS-based two-factor authentication systems, says security vendor Trend Micro.

See Also: How to Mitigate Credential Theft by Securing Active Directory

Furthermore, the attackers' relatively low-tech approach makes their attacks difficult for security software to identify or block.

A report released last week by Trend Micro said the ongoing attack campaign, dubbed Operational Emmental after the Swiss cheese, to date has targeted customers of 34 banks - including 16 in Switzerland plus others in Austria, Sweden, and, since May, Japan. Now, other security experts are weighing in on the threat.

The success of these so-called man-in-the-middle attacks is especially troublesome, says Trend Micro chief cybersecurity officer Tom Kellermann, because Swiss banks' information security practices rank among the world's best. As a result, he says, it's possible attackers might extend their campaign to the United States, United Kingdom or other countries more typically targeted by banking Trojans.

Here are four facts about the malware, and what the success of the ongoing attack campaign says about the state of banks' defenses:

1. Malware Taps Old Tricks

Operation Emmental attacks begin with spear-phishing e-mails, written in customers' local language, that try to trick them into executing a Windows Trojan, which changes their DNS settings, installs an SSL certificate, and tries to trick them into installing Android malware. If criminals can infect both a PC and mobile device, they can defeat the bank's SMS security checks and surreptitiously drain a customer's account.

The Windows malware tied to the attacks, called "Retefe," began as a "Bankentrojaner" customized for the Swiss-German language-speaking market, according to Microsoft.

Peter Kruse, a security specialist at Danish security vendor CSIS Security Group, says the Operation Emmental gang didn't write their attack code from scratch. Rather, the malware is a variant of the Zeus/Citadel banking Trojan.

Retefe first appeared in 2013. "It was pretty active in Switzerland since November of last year; it is one of the financial Trojans that we definitely see here, so it's not new on the scene," says Candid Wueest, a principal threat researcher with security response at Symantec, who's based in Zurich, Switzerland.

The malware also isn't the first to bypass SMS two-factor authentication. In 2010, for example, Trend Micro reported that a then-new variant of Zeus was able to bypass two-factor authentication. That was the same year that Android malware first appeared.

What Operation Emmental does do, however, is to combine all of the above capabilities into one attack campaign: spear-phishing e-mails trick users into executing malware, which tricks users into installing Android malware, which then gives attackers access to customers' bank accounts.

2. Attackers Use Low-Tech Approach

While Retefe dates to 2013, security experts say the gang behind the Operation Emmental attacks was first spotted in 2012, using - and renting - an advanced crimeware toolkit. But in an odd twist, the gang appears to have discarded that toolkit for a much simpler approach, based on malware with "a very small footprint on the machine," Wueest says. Notably, Retefe is designed to change the DNS settings, install a new root SSL certificate, and then delete itself, thus making related attacks tough to spot.

"We've seen Trojans doing this for a couple of years as well, so it's not new, but it is rare," he says.

Even the phishing messages are written on a low budget, with Wueest, a native German speaker, saying it's obvious attackers aren't native German speakers. Instead, they likely used Google to translate their messages. "The language isn't perfect - they're still missing some words in the spam e-mails here and there," he says. Victims are nonetheless evidently still being tricked into opening phishing e-mails.

All of those attack techniques and choices are designed to maximize profits while minimizing effort. "The attackers are very good at what they do, and they're incentivized, because the profits and the value they can get back is actually remarkably high," security and risk analyst Andrew Rose of Forrester Research tells Information Security Media Group. "Just from small pieces of malware they can make a great deal of money in quite a short time."


Andrew Rose, principal analyst, security and risk, Forrester Research.

3. Swiss Attacks Unusual

While Switzerland - by virtue of its renowned banking sector - might seem to be a high-profile target for Trojan-wielding attackers, at least historically, that's not been the case. According to a 2013 study from Symantec, for example, U.S. PCs were far more likely to be infected by a banking Trojan, followed by Japan, the United Kingdom and Germany. The most-attacked bank in Switzerland, meanwhile, ranked in 106th place on the list of the 1,486 institutions most targeted by attackers. Overall, 60 Swiss financial services firms were targeted by Trojans.

Targeting Swiss banks means attackers likely have associates based in Switzerland, Wueest says. "The problem isn't so much getting the money into the accounts, but getting it out, so maybe they had some good [local] money mule connections."

Any fraudulent transfers or withdrawals that happen from outside a customer's country will typically trigger alarms. "If you try to withdraw funds from a U.K. account and you try to send or transfer money to a Romanian account - or any Eastern European account - it usually raises some red flags. Probably some of the money will then get frozen for the day before it clears and gets through, which makes it less ideal if you try to scam a lot of people," Wueest says.

4. Attackers Subvert Defenses

While the gang's attacks have been compromising customers of the 34 banks - which Trend Micro has so far declined to name - attackers' ability to bypass the one-time code SMS systems doesn't mean banks should stop using two-factor authentication systems. "First and foremost, financial institutions across the globe should be applauded, not lambasted, for their efforts to implement multi-factor authentication," says JD Sherry, vice president of technology and solutions for Trend Micro, in a blog post.

But Operation Emmental is a reminder that for every defense information security vendors build and banks employ, it may be only a matter of time before dedicated attackers design a way to bypass it. "Operation Emmental is a clear example of how the attack patterns on banks and their end users will look in the coming months," Sherry says. "Attackers continue to engineer for the next generation of phishing, coupled with man-in-the-middle attacks on financial institutions not only in Europe, but also all over the world."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network